Calso 🌋 ∞/21M

A security researcher just documented a large-scale counterfeit Ledger Nano S Plus operation selling compromised devices across multiple online marketplaces. The fake units look identical to the real thing but contain completely different hardware. Instead of Ledger's secure element chip, the counterfeits run an ESP32 microcontroller with modified firmware labeled "Nano S+ V2.1." Seeds and PINs are stored in plain text and transmitted to attacker-controlled servers. Any wallet initialized on the device is drained. The operation goes beyond the hardware. The sellers also distribute a fake version of Ledger Live built with React Native and signed with a debug certificate. It intercepts transactions and exfiltrates sensitive data to multiple command-and-control servers. The campaign spans five attack vectors: compromised hardware, Android APKs, Windows executables, macOS installers, and iOS apps distributed through TestFlight to bypass App Store review. This comes days after ZachXBT documented a separate fake Ledger Live app that made it through Apple's Mac App Store review process. That operation drained over $9.5 million from more than 50 victims, including musician G. Love, who lost 5.92 BTC after entering his recovery phrase into what he believed was the legitimate app. The pattern is clear: the attack surface for hardware wallet users has shifted from firmware exploits to supply chain and distribution fraud. The devices themselves remain secure. The problem is that users are being intercepted before they ever touch a real one. Ledger's own "genuine check" feature can be bypassed when the hardware itself is compromised at the source, which makes where you buy the device as important as how you use it. The rules haven't changed, but they've never been more important: buy hardware wallets only from the manufacturer. Never enter your recovery phrase into any software. If a companion app asks for your 24 words on a screen, it's a scam. Every time.

telegram is the biggest psyop in privacy history. no encryption by default. vast majority of the 1B users send private messages in clear plain text to the telegram servers. most users wrongly assumes that they have pRiVaCy because durov said so in a podcast. it's a literal affinity scam. TELEGRAM IS NOT A PRIVACY MESSENGER. I don't understand why none of his podcast hosts ever pushes back on this obvious, blatant, dangerous bullshit.

Die neue Folge ist raus E259 - Die Geschichte von Trezor: Pioniere des Hardware Wallets 🧱 Wie Slush nach einem Hack von >3000 BTC das erste Hardware Wallet baute 🔐 Multishare vs. Multisig 🛠 Safe 7, Quantum Ready Boardloader https://t.co/0SKTR3n0XP https://t.co/fqjHCoysDf

It is truly insane that the open-source software developers who NEVER CONTROLLED USER FUNDS (Samourai wallet devs) are going to prison when big bankers who LITERALLY LAUNDERED MONEY FOR FUCKING JEFFREY EPSTEIN (JP Morgan) just pay a fine as a cost of doing business. The system is broken, and if you’re not angry, you should be.